Oddbean new post about | logout
 https://github.com/kayabaNerve/fcmp-ringct/blob/develop/fcmp%2B%2B.pdf

New paper from some Monero researchers (really new it seems - update date is last week!), in which they're proposing to use CurveTrees (the same construct I put into aut-ct as per my recent work) to get much larger anonymity sets (and I do mean *much larger*, from like 10ish to 100000000!).

One very notable thing (to me) is that the very easy and natural secp/secq 2-cycle (you realistically need a 2 cycle of curves for CurveTrees), has to be replaced with something more complex, because their DJB ed25519 curve has a cofactor of 8 (yet again non prime order curve biting them on the ass, lol).

Another interesting tidbit is that they propose to use Liam Eagan's recent work https://eprint.iacr.org/2022/596  (posted almost contemporaneously with Curve Trees); I remember Andrew Poelstra pointing me at this work in '22 and I said to him "I don't understand this" and he responded "yeah it was difficult so I got Liam to come round to my house and explain it" 😁 .. so yeah i'm sure some people can follow the ideas there but I am alas not yet one of them :)

They've also done a review of the generalized bulletproofs construction that Kamp et al used in their CurveTrees implementation: https://github.com/cypherstack/generalized-bulletproofs

Also interesting is that they talk about acheiving a "forward secrecy" property here, which linkable ring signatures can't have, by design: if a future ECDL breaker is found, it can always see the trace of payments in prior Monero because the linking tag reveals the private key if you can crack ECDLP. I'm not sure how this works but I believe it's to do with the Liam Eagan research just mentioned.

Finally, the extremely esoteric and dense mathematical concepts aside, it's worth mention a 1000 ft view: this proposal ditches ring signatures (and somehow they get backwards compatibility for the historical chain, though I absolutely don't understand that yet), and goes to a full ZKP proving system (bulletproofs arithmetic circuits) for full anon set. I can't help wondering if this direction makes sense - if we look at Zcash, they do the same thing, but using bilinear pairings they can get far more performant proof, proof size and verification stats, I believe (but, curvetrees can be very efficient so I'm not 100% sure about the details here). Ring sigs, as I've observed elsewhere, even with the fanciest algorithms, never quite cut it at the verification step to be able to support huge anonymity sets. If you're going to ditch them, you may just as well go with a Zcash style design, no?